4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
Size

3.6MB
MD5

77c84bcdb8342762271a6bad343f6b72
SHA1

112ce87c47a648954fb86dd02978017601fa0912
SHA256

4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039
SHA512

f0925264c81568ae5300fb186ce1f56bab20bbc68f864f7d398d1df40e216ab005462558cc252ea7ea122ad469e264ccc9610505c27100af01426aff07b29ddf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	ecdevopti.exe
2592	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNF\\xbodsys.exe"	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBP9\\bodxsys.exe"	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe
2804	ecdevopti.exe
2592	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2804	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	30
PID 588 wrote to memory of 2804	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	30
PID 588 wrote to memory of 2804	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	30
PID 588 wrote to memory of 2804	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	30
PID 588 wrote to memory of 2592	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	31
PID 588 wrote to memory of 2592	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	31
PID 588 wrote to memory of 2592	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	31
PID 588 wrote to memory of 2592	588	4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe	31

C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe
"C:\Users\Admin\AppData\Local\Temp\4600115716bc1042a2d6a93993cc6eab088d10229bdee6e481a9d3b92a307039.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\FilesNF\xbodsys.exe
  C:\FilesNF\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesNF\xbodsys.exe

Filesize
3.6MB

MD5
ba3b212920e7a2ee95fbc3222d9a6349

SHA1
297bddec0b719f5db12ae736740de4b76f84faaa

SHA256
5a686cccd9bee8ce154ae553040bb9e9883ec6a417eb097f3643cff2b26f6a26

SHA512
705a0edf22d251b60c3ea9f4a6c5b917bc03a559498072d6965ea38126548b526dc7b6195966b5e55a9def275550a215f2a4604ae2ffdb2340d90b276acc173b

Download Submit
C:\KaVBP9\bodxsys.exe

Filesize
4KB

MD5
7b41954bee8856da62ef57345adc3522

SHA1
11b72bcd158990287c7502b2d89a500dd528be97

SHA256
53500f97f1743cdbbb8e20fbd873c559d502902c5b946a3bf45608d9862e2df2

SHA512
6ca7be3c24637b2cebe059bfaf0b67d1447edda13807cc42ee42f4d621f67bc6378b464eaa122e4a1b1a0119b9d19e5ad9d40b4adfad582ede44ce86614f7c62

Download Submit
C:\KaVBP9\bodxsys.exe

Filesize
3.6MB

MD5
dce86be9bec5e3fd84dc3d2dd0c8a3d3

SHA1
980c7dfd2083ad2e934ffa8656572c3a200a785d

SHA256
f8d2ce817220d1542bb8c62281dd8aac464412ba4037ec171688fd11651419f5

SHA512
91e756ac507edbc57eeb9e986c7e0c82985092085166e6e49a0e2989f5402ab3e072d270fd36266271da58e8d3747a25390f4cf5e295ef3edd18636ca4d4fabc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
5da504032aebc58d75c33842d6d9750f

SHA1
3386c2f2d57c6e525ec7e31e0e577b0a4618f639

SHA256
11504360f35c348ea9a0cc451fe104b185680dfa3fede65d705c7c047e396f7f

SHA512
3d7ad5d8c2e91acfb3dcd3ea379050f28b5a6567d1c6ab12ae4af3d3a52ef8b83fed6fd89b40de7176706af0fd93966fc24b53883c8beac26682b0699ba13671

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
5cb0d979e1eb1d93d8610154912220c3

SHA1
0d5c2ad44bdece658478b69195f90b4dfc322408

SHA256
ed438713d41ae8439101f233005bc28c1b399cee4357db9c3a2e26fcfa425d0a

SHA512
f119b6c0a700e734e2f0dde6802730d7f5090095e8cc71cb0a81ea5d0f6ecee8758e575ccc95cc6593cb224e7a1554ce69ca51f04bd27ec5d24d58faae56a840

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.6MB

MD5
223f89444824df920dd085b4d4e3cc08

SHA1
a8829e95c792d692b68970ab4b99a82974c129a7

SHA256
3676a50b973a06902179ccb6142d602e271adce205b5fc527b3ab15ee68129a7

SHA512
cf0b64d2e1390a11facc62ca66e87b6ba391d5b8f144a45b087b20dbad29ef767b4f1c6784dc3deb2bc2fa5de044fcc7b18e9371c072c5af3f40ff3cadffb82b

Download Submit